Lately, I've had a huge problem with targeted brute attacks against specific user accounts. In the past, they'd attempt several times from a single IP and get blocked by fail2ban. That no longer works. It seems now whoever is targeting me is rotating through a different IP with each attempt and fail2ban is useless. I have Carbonio behind an opnsense firewall that runs Crowdsec and blocks general known bad IP's with the free filters. That doesn't seem to help much. Any ideas how to prevent this? I'm getting locked out of my own account half the day these last couple days.
I experience the same problem. When my account gets locked by brute force attack I find the ip's in the log and filteres them.
I use this command to find them for a specific email address:
fgrep 'donald@duck.com' /opt/zextras/log/mailbox.log | fgrep ImapServer | fgrep 'nvalid credentials' | awk '{ f=index( $0, "oip=" ); l=index( $0, "via=" ); print substr( $0, f+4, l-f-5 ) }'
An automated solution would much appreciated.
Thanks